VMware vRealize Automation 7.x Lighttpd Security Technical Implementation Guide

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]

Details

Version / Release: V1R1

Published: 2018-10-12

Updated At: 2018-11-03 10:31:10

Actions

Download

Filter


Findings
Severity Open Not Reviewed Not Applicable Not a Finding
Overall 0 0 0 0
Low 0 0 0 0
Medium 0 0 0 0
High 0 0 0 0
Drop CKL or SCAP (XCCDF) results here.

    Vuln Rule Version CCI Severity Title Description Status Finding Details Comments
    SV-99869r1_rule VRAU-LI-000005 CCI-000054 MEDIUM Lighttpd must limit the number of simultaneous requests. Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a web site, facilitating a denial of service attack. Mitigating this kind of attack will include limiting the number of concurrent HTTP/HTTPS requests. Lighttpd
    SV-99871r1_rule VRAU-LI-000015 CCI-000068 MEDIUM Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would b
    SV-99873r1_rule VRAU-LI-000020 CCI-001453 MEDIUM Lighttpd must be configured to use the SSL engine. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99875r1_rule VRAU-LI-000025 CCI-000067 MEDIUM Lighttpd must be configured to use mod_accesslog. Lighttpd is the administration panel for vRealize Automation. Because it is intended to provide remote access to the appliance, vRA must provide remote access information to external monitoring systems. mod_accesslog is the module in Lighttpd that config
    SV-99877r1_rule VRAU-LI-000035 CCI-000169 MEDIUM Lighttpd must generate log records for system startup and shutdown. Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server functionalities may be logged as well. Lighttpd records system even
    SV-99879r1_rule VRAU-LI-000045 CCI-001462 MEDIUM Lighttpd must capture, record, and log the IP address associated with a user session. A user session to a web server is in the context of a user accessing a hosted application that extends to any plug-ins/modules and services that may execute on behalf of the user. Lighttpd logs user activity in the access.log file using the Common Log Fo
    SV-99881r1_rule VRAU-LI-000050 CCI-000130 MEDIUM Lighttpd must produce log records containing sufficient information to establish what type of events occurred. Ascertaining the correct type of event that occurred is important during forensic analysis. The correct determination of the event and when it occurred is important in relation to other events that happened at that same time. Without sufficient informat
    SV-99883r1_rule VRAU-LI-000055 CCI-000131 MEDIUM Lighttpd must produce log records containing sufficient information to establish when (date and time) events occurred. Ascertaining the correct order of the events that occurred is important during forensic analysis. Events that appear harmless by themselves might be flagged as a potential threat when properly viewed in sequence. By also establishing the event date and ti
    SV-99885r1_rule VRAU-LI-000060 CCI-000132 MEDIUM Lighttpd must produce log records containing sufficient information to establish where within the web server the events occurred. Ascertaining the correct location or process within the web server where the events occurred is important during forensic analysis. Correctly determining the web service, plug-in, or module will add information to the overall reconstruction of the logged
    SV-99887r1_rule VRAU-LI-000065 CCI-000133 MEDIUM Lighttpd must produce log records containing sufficient information to establish the source of events. Ascertaining the correct source, e.g. source IP, of the events is important during forensic analysis. Correctly determining the source will add information to the overall reconstruction of the logable event. By determining the source of the event correctl
    SV-99889r1_rule VRAU-LI-000075 CCI-000134 MEDIUM Lighttpd must produce log records containing sufficient information to establish the outcome (success or failure) of events. Ascertaining the success or failure of an event is important during forensic analysis. Correctly determining the outcome will add information to the overall reconstruction of the logable event. By determining the success or failure of the event correctly,
    SV-99891r1_rule VRAU-LI-000095 CCI-000162 MEDIUM Lighttpd must have the correct ownership on the log files to ensure they are only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99893r1_rule VRAU-LI-000100 CCI-000162 MEDIUM Lighttpd must have the correct group-ownership on the log files to ensure they are only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99895r1_rule VRAU-LI-000105 CCI-000162 MEDIUM Lighttpd must have the correct permissions on the log files to ensure they are only be accessible by privileged users. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99897r1_rule VRAU-LI-000110 CCI-000163 MEDIUM Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized modification. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99899r1_rule VRAU-LI-000125 CCI-000164 MEDIUM Lighttpd must have the correct ownership on the log files to ensure they are protected from unauthorized deletion. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-99901r1_rule VRAU-LI-000140 CCI-001348 MEDIUM Lighttpd log data and records must be backed up onto a different system or media. Protection of Lighttpd log data includes assuring log data is not accidentally lost or deleted. Backing up Lighttpd log records to an unrelated system or onto separate media than the system the web server is actually running on helps to assure that, in th
    SV-99903r1_rule VRAU-LI-000145 CCI-001749 MEDIUM Lighttpd files must be verified for their integrity before being added to a production web server. Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. The Lighttpd web server files on vRA must be
    SV-99905r1_rule VRAU-LI-000150 CCI-001749 MEDIUM Lighttpd expansion modules must be verified for their integrity before being added to a production web server. Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the information. Expansion modules that are installed on the
    SV-99907r1_rule VRAU-LI-000160 CCI-000381 MEDIUM Lighttpd must prohibit unnecessary services, functions or processes. Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application layer of the OSI model. Office suites, development tools, and g
    SV-99909r1_rule VRAU-LI-000170 CCI-000381 HIGH Lighttpd must only contain components that are operationally necessary. Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production web server must only contain components that are operationa
    SV-99911r1_rule VRAU-LI-000185 CCI-000381 MEDIUM Lighttpd must have MIME types for csh or sh shell programs disabled. Users must not be allowed to access the shell programs. Shell programs might execute shell escapes and could then perform unauthorized activities that could damage the security posture of the web server. A shell is a program that serves as the basic inter
    SV-99913r1_rule VRAU-LI-000190 CCI-000381 MEDIUM Lighttpd must only enable mappings to necessary and approved scripts. Lighttpd will only allow or deny script execution based on file extension. The ability to control script execution is controlled with the cgi.assign variable in lighttpd.conf. For script mappings, the ISSO must document and approve all allowable file exte
    SV-99915r1_rule VRAU-LI-000195 CCI-000381 MEDIUM Lighttpd must have resource mappings set to disable the serving of certain file types. Resource mapping is the process of tying a particular file type to a process in Lighttpd that can serve that type of file to a requesting client and to identify which file types are not to be delivered to a client. Lighttpd provides the url.access-deny p
    SV-99917r1_rule VRAU-LI-000200 CCI-000381 MEDIUM Lighttpd must not have the Web Distributed Authoring (WebDAV) module installed. A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a ser
    SV-99919r1_rule VRAU-LI-000205 CCI-000381 MEDIUM Lighttpd must not have the webdav configuration file included. A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to allow users to create, change, and move documents on a ser
    SV-99921r1_rule VRAU-LI-000210 CCI-000381 MEDIUM Lighttpd must prevent hosted applications from exhausting system resources. When it comes to DoS attacks, most of the attention is paid to ensuring that systems and applications are not victims of these attacks. While it is true that those accountable for systems want to ensure they are not affected by a DoS attack, they also nee
    SV-99923r1_rule VRAU-LI-000215 CCI-000381 HIGH Lighttpd must not use symbolic links in the Lighttpd web content directory tree. A symbolic link allows a file or a directory to be referenced using a symbolic name raising a potential hazard if symbolic linkage is made to a sensitive area. When web scripts are executed and symbolic links are allowed, the Lighttpd could be allowed to
    SV-99925r1_rule VRAU-LI-000220 CCI-000382 MEDIUM Lighttpd must be configured to use port 5480. Lighttpd is used as the web server for vRealize Automation's Virtual Appliance Management Interface (vAMI). To segregate appliance management from appliance operation, Lighttpd can be configured to listen on a separate port. Port 5488 is the recommended p
    SV-99927r1_rule VRAU-LI-000225 CCI-000197 MEDIUM Lighttpd must use SSL/TLS protocols in order to secure passwords during transmission from the client. Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to authenticate the vAMI admin must be sent to Lighttpd via SSL/TL
    SV-99929r1_rule VRAU-LI-000235 CCI-000186 MEDIUM Lighttpd must have private key access restricted. Lighttpd's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and clients. Only authenticated system administrators or the designated PKI Sp
    SV-99931r1_rule VRAU-LI-000245 CCI-000803 MEDIUM Lighttpd must be configured to use only FIPS 140-2 approved ciphers. Use of cryptography to provide confidentiality and non-repudiation is not effective unless strong methods are employed with its use. Many earlier encryption methods and modules have been broken and/or overtaken by increasing computing power. The NIST FIPS
    SV-99933r1_rule VRAU-LI-000255 CCI-001082 HIGH Lighttpd must prohibit non-privileged accounts from accessing the directory tree, the shell, or other operating system functions and utilities. As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access
    SV-99935r1_rule VRAU-LI-000260 CCI-001082 HIGH Lighttpd must have the latest version installed. Allowing malicious users the capability to traverse server directory tree can create significant vulnerabilities. Such information and the contents of files listed should not be normally readable by the web users as they often contain information relevant
    SV-99937r1_rule VRAU-LI-000310 CCI-001190 MEDIUM The Lighttpd baseline must be maintained. Without maintenance of a baseline of current Lighttpd software, monitoring for changes cannot be complete and unauthorized changes to the software can go undetected. Changes to Lighttpd could be the result of intentional or unintentional actions.
    SV-99939r1_rule VRAU-LI-000335 CCI-001094 MEDIUM Lighttpd must protect against or limit the effects of HTTP types of Denial of Service (DoS) attacks. In UNIX and related computer operating systems, a file descriptor is an indicator used to access a file or other input/output resource, such as a pipe or network connection. File descriptors index into a per-process file descriptor table maintained by the
    SV-99941r1_rule VRAU-LI-000345 CCI-001312 MEDIUM Lighttpd must disable directory browsing. If not disabled, the directory listing feature can be used to facilitate a directory traversal exploit. Directory listing must be disabled. Lighttpd provides a configuration setting, dir-listing.activate, that must be set properly in order to globally di
    SV-99943r1_rule VRAU-LI-000350 CCI-001312 MEDIUM Lighttpd must not be configured to use mod_status. Any application providing too much information in error logs and in administrative messages to the screen risks compromising the data and security of the application and system. The structure and content of error messages needs to be carefully considered
    SV-99945r1_rule VRAU-LI-000355 CCI-001312 MEDIUM Lighttpd must have debug logging disabled. Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or trace information is enabled in a production web server, in
    SV-99947r1_rule VRAU-LI-000370 CCI-002314 HIGH Lighttpd must be configured to utilize the Common Information Model Object Manager. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely an
    SV-99949r1_rule VRAU-LI-000410 CCI-001855 MEDIUM The web server must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the log capturing mechanisms, and log storage capacity being rea
    SV-99951r1_rule VRAU-LI-000415 CCI-001890 MEDIUM Lighttpd audit records must be mapped to a time stamp. If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records. Time stamps generated by the web server include date and time. Time is commonly expre
    SV-99953r1_rule VRAU-LI-000420 CCI-001889 MEDIUM Lighttpd must record time stamps for log records to a minimum granularity of time. Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records. Time stamps generated by the web server include date and time and must be to a granularity of one second. In order to ensure t
    SV-99955r1_rule VRAU-LI-000425 CCI-001813 MEDIUM Lighttpd must prohibit non-privileged accounts from accessing the application, libraries, and configuration files. As a rule, accounts on the Lighttpd server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the Lighttpd server. The resources to which these accounts have access
    SV-99957r1_rule VRAU-LI-000430 CCI-001762 MEDIUM Lighttpd must not be configured to listen to unnecessary ports. Web servers must provide the capability to disable or deactivate network-related services that are deemed to be non-essential to the server mission, are too unsecure, or are prohibited by the PPSM CAL and vulnerability assessments. Lighttpd will listen o
    SV-99959r1_rule VRAU-LI-000435 CCI-002450 MEDIUM Lighttpd must be configured with FIPS 140-2 compliant ciphers for https connections. Transport Layer Security (TLS) is optional for a public web server. However, if authentication is being performed, then the use of the TLS protocol is required. Without the use of TLS, the authentication data would be transmitted unencrypted and would b
    SV-99961r1_rule VRAU-LI-000450 CCI-002385 MEDIUM Lighttpd must be protected from being stopped by a non-privileged user. An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration. To prohibit an attacker from stopping the Lighttpd, the process ID (pid)
    SV-99963r1_rule VRAU-LI-000460 CCI-002418 MEDIUM Lighttpd must be configured to use the SSL engine. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99965r1_rule VRAU-LI-000465 CCI-002418 MEDIUM Lighttpd must be configured to use the SSL engine. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99967r1_rule VRAU-LI-000485 CCI-002418 HIGH Lighttpd must use an approved TLS version for encryption. Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web server and client. FIPS 140-2 approved TLS versions must be enab
    SV-99969r1_rule VRAU-LI-000490 CCI-002418 MEDIUM Lighttpd must remove all export ciphers to transmitted information. During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The Lighttpd will reply with the cipher suite it will use for communication from the clie
    SV-99971r1_rule VRAU-LI-000500 CCI-002422 MEDIUM Lighttpd must be configured to use SSL. Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed logic in a web page may expose business logic or trusted s
    SV-99973r1_rule VRAU-LI-000505 CCI-002605 MEDIUM Lighttpd must have the latest approved security-relevant software updates installed. All vRA components, to include Lighttpd, are under VMware configuration management control. The CM process ensures that all patches, functions, and modules have been thoroughly tested before being introduced into the production version. By using the most
    SV-99975r1_rule VRAU-LI-000515 CCI-000366 MEDIUM Lighttpd must disable IP forwarding. IP forwarding permits Lighttpd to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers. Lighttpd is not implemented as a router. With the url.redirect
    SV-100975r1_rule VRAU-LI-000115 CCI-000163 MEDIUM Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized modification. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-100977r1_rule VRAU-LI-000120 CCI-000163 MEDIUM Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized modification. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-100979r1_rule VRAU-LI-000130 CCI-000164 MEDIUM Lighttpd must have the correct group-ownership on the log files to ensure they are protected from unauthorized deletion. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-100981r1_rule VRAU-LI-000135 CCI-000164 MEDIUM Lighttpd must have the correct permissions on the log files to ensure they are protected from unauthorized deletion. Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity would be difficult, if not impossible, to achieve. In
    SV-100983r1_rule VRAU-LI-000165 CCI-000381 MEDIUM Lighttpd proxy settings must be configured. A web server should be primarily a web server or a proxy server but not both, for the same reasons that other multi-use servers are not recommended. Scanning for web servers that will also proxy requests into an otherwise protected network is a very commo
    SV-100985r1_rule VRAU-LI-000375 CCI-002314 MEDIUM Lighttpd must restrict inbound connections from nonsecure zones. Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform management functions. A web server can be accessed remotely and
    SV-100987r1_rule VRAU-LI-000400 CCI-001851 MEDIUM Lighttpd must be configured to use syslog. Writing events to a centralized management audit system offers many benefits to the enterprise over having dispersed logs. Centralized management of audit records and logs provides for efficiency in maintenance and management of records, enterprise analys
    SV-100989r1_rule VRAU-LI-000405 CCI-001851 MEDIUM Lighttpd must be configured to use syslog. A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic purposes, forensics purposes, or other purposes relevant to ensur